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Abstract 

We prove several decidability and undecidability results for z/-PN, an exten- 
sion of P/T nets with pure name creation and name management. We give a 
simple proof of undecidability of reachability, by reducing reachability in nets 
with inhibitor arcs to it. Thus, the expressive power of ^-PN strictly surpasses 
that of P/T nets. We prove that z^-PN are Well Structured Transition Sys- 
tems. In particular, we obtain decidability of coverability and termination, so 
that the expressive power of Turing machines is not reached. Moreover, they 
are strictly Well Structured, so that the boundedness problem is also decidable. 
We consider two properties, width-boundedness and depth-boundedness, that 
factorize boundedness. Width-boundedness has already been proved to be de- 
cidable. We prove here undecidability of depth-boundedness. Finally, we obtain 
Ackermann-hardness results for all our decidable decision problems. 

Keywords: Petri nets, pure names. Well Structured Transition Systems, 
decidability 



1. Introduction 

Pure names are identifiers with no relation between them other than equal- 
ity Dynamic name generation has been thoroughly studied, mainly in the 
field of security and mobility [l3| because they can be used to represent chan- 
nels, as in TT-calculus [i^, ciphering keys, as in spi-Calculus ^5] or computing 
boundaries, as in the Ambient Calculus 



In previous works we have studied a very simple extension of P/T nets 



that we called r/-PN 25|, |28|, for name creation and management o Tokens in 
z^-PN are pure names, that can be created fresh, moved along the net and be 
used to restrict the firing of transitions with name matching. They essentially 
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correspond to the minimal 00-ncts of 'l8|, where names are used to identify 
objects. 

In this paper we prove several (un)decidability and complexity results for 
some decision problems in J/-PN. In [l8[ the author proved that reachability is 
undecidable for minimal 00-nets, thus proving that the model surpasses the ex- 
pressive power of P/T nets. The same result was obtained independently in [25| 
for i/-PN. Both undecidability proofs rely on a weak simulation of a Minsky 
machine that preserves reachability. We present here an alternative and simpler 
proof of the same result, based on a simulation of Petri nets with inhibitor nets 
(thus, with a much smaller representation gap) that reduces reachability in the 
latter (which is undecidable) to reachability in i^-PN. 

In [2^ we proved well structuredness [1, [13] of a class of nets we called 
MSPN. It is easy to see that z/-PN can easily encode MSPN. We present here 
full details of the proof of well structuredness for i^-PN instead of for MSPN, 
since the former is a much more cleaner formalism. This gives us decidabil- 
ity of coverability (which is an important property since safety properties can 
be specified in terms of it) and termination We also prove that the 

well structuredness of i/-PN is strict, so that boundedness (whether there are 
infinitely many reachable markings) is also decidable [lo|. Moreover, we work 
with an extended version of I'-PN, in which we allow weights in arcs, simulta- 
neous creation of several fresh names and checks for inequality. 

Z/-PN can represent infinite state systems that can grow in two orthogonal 
directions: On the one hand, markings may have an unbounded number of 
different names; On the other hand, each name may appear in markings an 
unbounded number of times. In the first case we will say the net is width- 
unbounded, and in the second we will say it is depth-bounded. In we 
proved decidability of width-boundedness by performing a forward analysis that, 
though incomplete in general for the computation of the cover, can decide width- 
boundedness. In particular, we instantiated the general framework developed 



111 |12| for forward analyses of WSTS in the case of i/-PN. 



Here we prove undecidability of depth-boundedness. Thus, though both 
boundedness concepts are closely related, they behave very differently. The 
proof reduces boundedness in reset nets, which is known to be undecidable [1), to 
depth-boundedness in I'-PN. This result can be rather surprising. Actually, the 
paper Q erroneously establishes the decidability of depth-boundedness (called 
t-boundedness there). 

Related work. Another model based on Petri nets that has names as tokens 
are Data Nets, which are also WSTS In Data Nets, tokens are not pure 

in general, but taken from a linearly-ordered infinite domain. Names can be 
created, but they can only be guaranteed to be fresh by explicitely using the 
order in the data domain, by taking a datum which is greater than any other 
that has been used. Thus, in an unordered version of Data Nets, names cannot 
be guaranteed to be fresh. 

Other similar models include Object Nets 3^, 31 1, that follow the so called 
nets-within-nets paradigm. In Object Nets, tokens can themselves be Petri nets 
that synchronize with the net in which it lies. This model is supported by 
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the RENEW tool [19j, a tool for the edition and simulation of Object Petri 
Nets. Moreover, the RENEW tool can represent f-PN and, therefore, be used 
to simulate them. 

Several papers study the expressive power of Object Nets. The paper [l^ 
considers a two level restriction of Object Nets, called Elementary Object Nets 
(EON), and proves undecidability of reachability for them. This result extends 
those i n llSll . Moreover, some subclasses are proved to have decidable reachabil- 
ity. In [ITj l it is shown that, when the synchronization mechanism is extended so 
that object tokens can be communicated, then Turing completeness is obtained. 
However, in all these models processes (object nets) do not have identities. 

Nested Petri Nets 2l| also have nets as tokens, that can evolve autonomously, 
move along the system net, synchronize with each other or synchronize with the 
system net (vertical synchronization steps). Nested nets are more expressive 
than 1/-PN. Indeed, it is possible to simulate every i/-PN by means of a Nested 
Petri Net which uses only object-autonomous and horizontal synchronization 
steps. In Nested Petri Nets, reachability and boundedness are undecidable. 



although other problems, like termination, remain decidable 22|. Thus, decid- 
ability of termination can also be obtained as a consequence of Here we 
obtain decidability of termination on the way of the proof of decidability for 
boundedness and coverability. 

Outline. The rest of the paper is structured as follows. Section [2] presents 
some basic results and notations we will use throughout the paper. Section [3] 
defines i^-PN. Section |4] proves undecidability of reachability. In Sect. [5] we 
prove decidability of coverability, termination and boundedness, and we give 
non-primitive recursive lower bounds for their decision procedures. Section [6] 
presents further results about boundedness and in Section [7] we present our 
conclusions. 



2. Preliminaries 

Multisets. Given an arbitrary set A, we will denote by A® the set of finite 
multisets of A, that is, the set of mappings m : A N. We will identify each set 
with the multiset given by its characteristic function, and use set notation for 
multisets when convenient. We denote by supp{m) the support of m, that is, the 
set {a £ A I m{a) > 0} and by |m| = ^ m(a) the cardinality of ni. Given 

two multisets mi, m2 G A® we denote by mi -f m2 and toi Um2 the multisets de- 
fined by (mi -|-m2) (a) = mi(a)-|-m2(a) and (miUm2)(a) = maa;{mi(a), m2(a)}, 
respectively. We will write mi C m2 if mi (a) < m2(a) for every a ^ A. In this 
case, we can define m2 — mi, given by (m2 — mi) (a) — 1712(0) — mi (a). We 
will denote by ^ the extended multiset sum operator and by G A® the mul- 
tiset 0(a) = 0, for every a G A. If / : A — > _B and m G A®, then we define 
/(m) G B® by f{m){b) — ^ m{a). Every partial order < defined over A 

induces a partial order □ in the set A® , given by {ai, . . . , a„} C {61, . . . , if 
there is i : {1, . . . , n} — J> {1, . . . , m} injective such that < 6,(i) for all i. We 
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will write to stress out the use of the mapping l. 

wqo. A quasi order is a reflexive and transitive binary relation on a set A. 
A partial order is an antisymmetric quasi order. A quasi order < is decidable 
if for every a,b ^ A we can effectively decide if a < 6. All the quasi orders in 
this paper are trivially decidable. For a quasi order < we write a < 6 if a < 6 
and b ^ a. A set B C A is said to be a minor set of A if it does not contain 
comparable elements and for all a S ^ there is b G B such that b < a. We will 
write min{A) to denote a minor set of A. The upward closure of a subset B is 
■\ B = {a e A \ 3b £ B St a < b}. A subset B is upward closed iff B =t -B. A 
quasi order is well (wqo) [23| if for every infinite sequence oq, ai, . . . there are i 
and j with i < j such that < aj. In a wqo min{B) is always finite. 

Transition systems. A transition system is a tuple (S", — sq), where S" is a 
(possibly infinite) set of states, sq £ S is the initial state and — >C S x S. We 
denote by — >■* the reflexive and transitive closure of Given S" C S* we denote 
by Pred{S') the set {s £ S \ s ^ s' £ S'}. 

The reachability problem in a transition system consists in deciding for a 
given states s/ whether sq sj. The termination problem consists in decid- 
ing whether there is an infinite sequence sq ^ si ^ S2 ^ ■ ■ • ■ The boundedness 
problem consists in deciding whether the set of reachable states is finite. For 
any transition system (S, — sq) endowed with a quasi order < we can define 
the coverability problem, that consists in deciding, given a state sj, whether 
there is s € S reachable such that Sf < s. 

WSTS. A WeU Structured Transition System (WSTS) is a tuple (S", ^, so, <), 
where {S,^,so) is a transition system, < is a decidable wqo compatible with 
(meaning that s[ > si ^ S2 implies that there is S2 ^ ^2 with s'^ Sj), 
and so that for all s G S* we can compute min{Pred{'\ s)). We will refer to 
these properties as monotonicity of — > with respect to <, and effective Pred- 
basis, respectivel y^ For WSTS, the coverability and the termination problems 
are decidable [sl. llOf. A WSTS is said to be strict if it satisfies the following 
strict compatibility condition; s'l > si — !■ S2 implies that there is S2 > S2 with 
s'l Sj. For strict WSTS, also the boundedness problem is decidable (loj . 

Petri Nets. Next we define P/T nets in order to set our notations. A P/T 
net is a tuple N = (P, T, F) where P and T are disjoint finite sets of places and 
transitions, respectively, and _F : (P x T) U (T x P) — > N. A marking M of N 
is a finite multiset of places of N, that is, AI G P®. 

As usual, we denote by t' and 't the multisets of postconditions and pre- 
conditions of t, respectively, that is, t*{p) — F{t,p) and *t(p) — F{p,t). A 



Strictly speaking, decidability of the wqo and effective Pred-basis are not part of tfie 
definition of WSTS, but of the so called effective WSTS. These properties are needed to ensure 
decidability of coverability. 
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transition t is enabled at marking M if *t C M. The reached state of N after 
the firing of t is M' = (Af - 't) + t'. 

We will write M -^M' if M' is the reached marking after the firing of t at 
marking M . We also write M -> M' if there is some t such that M-^M'. The 
reflexive and transitive closure of — >■ is denoted by For a transition sequence 
T = ti . . Am we will write M^M' to denote the consecutive firing of transitions 
ti to im, as expected. 

3. Petri nets with name creation 

Let us now extend P/T nets with the capability of name management by 
defining ^-PN. In a I'-PN names can be created, communicated and matched. 
We can use this mechanism to deal with authentication issues [2^, correlation 
or instance isolation Q . We formalize name management by replacing ordinary 
tokens by distinguishable ones, thus adding colours to our nets. We fix a set Id 
of names, that can be carried by tokens of any z/-PN. In order to handle these 
colors, we need matching variables labelling the arcs of the nets, taken from a 
fixed set Var. Moreover, we add a primitive capable of creating new names, 
formalized by means of special variables in a set T C Var, ranged by v,vi, . . . 
that can only be instantiated to fresh names. 

Definition 1. A i^-PN is a tuple N = {P,T,F), where P and T are finite 
disjoint sets, F : (P x T) U {T x P) ^ Var® is such that for every t e T, 
T n pre{t) = and post(t) \ T C pre{t), where pre{t) = IJpep supp{F{p, t)) and 
post{t) = Upgp supp{F{t,p)). 

We also take Var{t) — pre{t) Upost{t). To avoid tedious definitions, along 
the paper we will consider a fixed i/-PN N — {P, T, F). 

Definition 2. A marking of iV is a function M : P — > /d®. We denote by 
Id{M) the set of names in A/, that is, Id{M) — IJ supp{M [p)) . 

We will assume a fixed initial marking Mq of N. Like in other classes of 
high-order nets, transitions are fired with respect to a mode, that chooses which 
tokens are taken from preconditions and which are put in postconditions. Given 
a transition t of a net TV, a mode of t is an injection a : Var{t) — >■ /rf, that 
instantiates each variable to an identifier. We will use cr, cr' , cti ... to range over 
modes. 

Definition 3. Let M be a marking, i G T and cr a mode for t. We say t is 
enabled with mode a if for all p G P, a{F{p,t)) C M{p) and cr(z^) ^ Id{M) for 
all e T n Var[t). The reached state after the firing of t with mode a is the 
marking Af', given by 

M\p) = (A/(p) - a{F{p,t))) + a{F{t,p)) for all p€P 
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Figure 1: A simple i^-PN 



We will write M ^M' to denote that M' is reached from M when t is fired 
with mode a, and extend the notation as done for P/T nets. In particular, for a 
sequence r = ii((Ti) . . . tm(crm) we will write MAM' to denote the consecutive 
firings of ii(CTi) to im(crm). We will denote by Reach{N) the set of reachable 
markings of N. Finally, we will assume that • £ Id, so that we can also have 
ordinary tokens in our nets. 

Figure [T] depicts a simple i/-PN with four places and a single transition. 
This transition moves one token from pi to qi (because of variable x labelling 
both arcs), removes a token from pi and p2 provided they carry the same name 
(variable y appears in both incoming arcs but it does not appear in any outgoing 
arc) , and two different names are created, one appears both in qi and q2 (because 
of variable i^i G T) and the other appears only in q2 (because of variable 1^2 G T). 
Notice that we demand modes to be injections (unlike in 28|), which for- 



malizes the fact that we can check for inequality. For instance, in the example 
in Fig. [1] the two tokens taken from pi must carry different names because we 
are labelling the arc from pi to t with two different variables, namely x and y. 
The capability of checking for inequality among all the names involved in the 
firing of a transition improves the expressive power of the model (see Fig. [5]). 
The problem of proving that this improvement is strict is still open. 

If a rz-PN has no arc labelled with variables from T then only a finite number 
of identifiers (those in the initial marking) can appear in any reachable marking. 
It is easy to see that these nets can be expanded to an equivalent P/T net. In 
particular, reachability is decidable for any such net, as it is for P/T nets 
unlike for z/-PN 



18| 



We will work with a subclass of ;y-PN without weights and in which transtions 
can at most create one fresh name. 



Definition 4. A i^-PN N = (F, T, F) is normal if there is G T such that: 

• for every pair {x,y) G (P U T) x (TUP), \F{x,y)\ < 1, 

• if F{x, y) n T ^ then F{x, y) = {i^}. 

Every I/-PN can be simulated by a normal z/-PN. Intuitively, the simulation 
considers for each transition several transitions that must be fired consecutively, 
whenever the original net takes several tokens from the same place. Since the 
firing of a transition in the original net becomes non-atomic in the simulation, it 
can introduce deadlocks (whenever the "transaction" cannot be accomplished). 
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Figure 2: The net on the left cannot check for inequahties (it can fire its transition when a = b 
or a 7^ fe). The net on the right can fire the transition in the top when a = b, and the one in 
the bottom when a ^ b. 

However, it preserves all the properties we will consider in this paper. Therefore, 
from now on we will assume that i/-PNs are normal when needed. 

4. Undecidability of reachability for iv-PN 

Let us now pro ve that reachability is undecidable for i^-PN. In J^] (and in- 
dependently in [25j) undecidability of reachability is proved by reducing reacha- 
bility of the final state with all the counters containing zero in Minsky machines 
to reachability in z^-PN. In this section we prove that same result in a more 
simple way, by reducing reachability of inhibitor nets (that allow to check for 
zero) to reachability in i/-PN. 

An inhibitor net is a tuple N = {P, T, F, Fin), where P and T are disjoint sets 
of places and transitions, respectively, F C (P x T) U (T x P), and Fm C P xT. 
Pairs in Fin are inhibitor arcs. For a transition t G T we write 't — {p G P \ 
ip,t) G F}, f ^{pGP I {t,p) G F} and H ^ {p € P \ {p,t) G F,„}. In figures 
we will draw a circle instead of an arrow to indicate that an arc is an inhibitor 
arc. 

A marking of an inhibitor net iV is a multiset of places of N . A transition t 
of N is enabled if M{p) > for all p e 't and M{p) = for all p G H. In that 
case t can be fired, producing M' — (M — 't) + 1* . 

Proposition 1. Reachability is undecidable for v-PN. 

Proof. Given an inhibitor net N = {P,T,F,Fin) we build a ly-PN N* = 
(P U P, T, F*) that simulates it as follows: 

• If ip,t) G F then F*{p,t) = F*{p,t) = F*{p,t) = {xp} (and analogously 
for it,p) G F), 

• If {p,t) G F^n then F*ip,t) = {xp} and F*{t,p) = {v}. 

• F*{x,y) — elsewhere. 

Moreover, if Mq is the initial marking of A'', we consider a different identifier 
Op for each place p of N. Then, we define the initial marking of N* as Mg (p) = 
{op} and M^ip) = {a^, ^(''.(p), Op}, for each p G P. 

Intuitively, for each place p of A^ we consider a new place p in A^*. The 
construction of A^* is such that p contains a single token at any time. The firing 
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Figure 3: Weak simulation of Petri nets with inhibitor arcs 



of any transition ensures that the token being used in p coincides with that in 
p. Every time a transition checks the emptyness of a place p, the content of p is 
replaced by a fresh token, so that no token remaining in p can be used. In this 
way, our simulation introduces some garbage tokens whenever it cheats, that 
once become garbage, always stay like that. Moreover, notice that any marking 
of N* of the form M* for some marking M of N does not contain any garbage, 
so that it comes from a correct simulation. Fig. [3] depicts a simple inhibitor net 
and its simulation. Then M is reachable in N from Mq if and only if Ad* is 
reachable in N* from Mq . Thus, we have reduced reachability in inhibitor nets, 
which is undecidable (9|, to reachability in i/-PN. 

5. Strict vifell structuredness of i/-PN 

In this section we prove that the transition sytem generated by a !/-PN 
is strictly well structured 0, . This will imply decidability of coverability, 
boundedness and termination. For that purpose, we can proceed following the 
next steps. In the first place, we need to define an order in the set of config- 
urations, markings in our case, that induces the property of coverability. This 
order must be a decidable wqo. Then we must prove that this order is strictly 
monotonic with respect to the transition relation. Finally, we have to prove 
that it has effective Pred-basis. 

5.1. Defining the order 

One could think that the order we are interested in for i^-PN is the following: 

Ml C M2 ^ Mi{p) C IVhip) for all p e P 

This order is not a well quasi-order: it suffices to consider a z^-PN with a 
single place p and a sequence of pairwise different identifiers (0^)^^, ant define 
Mi{p) = {ui} for all i ~ 1,2,... which trivially satisfies that for all i < j, 

However, this order is too restrictive, since it does not take into account 
the abstract nature of pure names. Indeed, whenever a new name is created, 
actually any other fresh name could have been created. Therefore, reachability 
(or coverability) of a given marking is equivalent to reachability (or coverabil- 
ity) of any marking produced after consistently renaming the new names in it. 
For homogeneity, we will suppose that we can rename every name, even those 
appearing in the initial marking (which, after all, arc a fixed number of names). 
To capture these intuitions, we identify markings up to renaming of names. 
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Definition 5. Given two markings M and M' we say tiiat they are a- equivalent, 
and we write M =a M', if tlrere is a bijection t : Id{M) Id{M') such that 
M'(p)(i(a)) = M(p)(a) for all p e P and a G Id{M). 

We will write M =^ M' to stress the use of the particular mapping t in the 
previous definition. Moreover, for a marking AI and set of identifiers A, any 
bijection t : Id{M) A defines a marking that we denote as l{M), given by 
/.(M)(p)(i(a)) = M{p){a), which is a-equivalent to M. 

Proposition 2. The behavior of ly-PNs is invariant under a-conversion. More 
specifically, letMi^M[: 

• If Ml =a M2 then there is M!^ and a' such that M[ and M2 A Afa- 

• If M[ =a M2 then there is M2 and a' such that Mi =a M2 and M2 ^''a/j- 

Proof. Let A = Id{Mi) \ Id{M[) and B the set of names created by t{a). 
Then, Id (Mi) = {Id{Mi) \A){J B. Notice that B C {6}, for some h e Id, 
assuming N is normal. 

• Assume Mi =, M2 and let a' = lo a. Transition t can be fired from M2 
with mode ct', obtaining M!^ with Id{M^) = (W(M{) \ i{A))L>B' for some 
B' of the same cardinality than B. We define t' by extending 6 to i? so 
that l{B) = B', which verifies M2 M^. 

• Assume now that Mi =,/ AI2 and let us define l : Id{Mi) — > /^(A/j) U A 
by L{a) = t'(a) if a G /rf(Af{), and i{a) a if a G A. Then M2 = t(A/i) 

and a' ~ Lo a satisfy Mi =c' M2 and A'/2*'->''A'f2- 

For instance, if we represent a marking M of the net in Fig. [T] by a tu- 
pie {M{pi),M{p2),M{ps),M{pi)), then Mi = ({a, 6}, {&, c}, 0, 0) and Afa = 
({a, c}, {6, c}, 0, 0) are two a-equivalent markings of that :^-PN. Indeed, Afi =^ 
M2 with i{a) — a, = c and t(c) = b. Mi can evolve to the mark- 
ing M[ = (0, {c}, {a, d}, {d, e}) when it fires i and M2 can evolve to Afj = 
(0, {&}, {a, e}, {d, e}). Notice that also Af{ =q Af;^. 

Let us now define the order we are interested in, by modifying the order CI 
between markings with the help of the a-equivalence relation . 

Definition 6. Let Mi and M2 be markings of N . We will write Mi M2 if 
there is a marking M[ such that M[ Mi and M[ C M2- 

Then, Mi M2 when there is l such that Mi =^ M[ □ A/2, or equivalently, 
when i(Afi) C Af2- We will write Mi Af2 to emphasize on the use of l. 
Clearly, is a decidable quasi order. Moreover, the kernel of is that 
is. Ml !Z„ A/2 and A/2 A/i iflt A/i A/2. 
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5.2. Qa 'is a wqo 

We will now see that the set of markings, ordered by is a wqo. In 
particular, notice that the counterexample we saw to prove that C is not a wqo 
is no longer valid, since all those markings are a-equivalent. In order to prove 
that Qa is a wqo we map it to a multiset order which is known to be a wqo. 

A marking is a mapping M : P ^ Id ^ N that says, for a given place p and 
an identifier a, how many times the token a can be found in place p. However, 
we can also currify those mappings as M : /d — ?> P — t- N. Since the behavior 
of a net is invariant under renaming, as we proved in Prop. [2l we can represent 
markings (modulo =„) as multisets in (P N)®, that is, in (P®)®. 

In this way, we represent markings by means of multisets, with a cardinality 
that equals the number of different identifiers appearing in it. 

As an example, let us consider a net with only two places pi and p2, and 
a marking M such that M{pi) — {a,a,b,c} and M{p2) — c}. We can rep- 
resent that marking by the multiset of cardinality 3, since there are 3 different 
identifiers in M, namely by the multiset {pi,P2}j {Pi:P2}}: where the 

multiset {pi,Pi} represents identifier a, one of the two multisets {^1,^2} repre- 
sents b and the other {^1,^2} represents c. Let us see it formally: 

Definition 7. For a marking M oiN, we define Ma G P® by Ma{p) — M{p){a) 
and If = {Ma I a e Id{M)} e (P®)®. 

Let us denote by ^ the canonic order in (P®)®. It is well known that ^ is 
a wqo. Moreover, it coincides with Cq,, as we prove next. 

Lemma 1. Let Mi and M2 he two markings. Then Mi M2 iff Mi <C M2. 

Proof. Let Mi = {^1, ... , A„} and M2 {Pi, ■ • • , Pn} with Ai = Mf* and 
Bj = mI'. If Ml M2 then define h{i) such that Bh(o = Mj^^'^ Then 
^i(p) = Mi{p){ai) < M2{p){i{a.i)) = Bh(,-){p), so that C B^ij and therefore 

Mi<M2. _ _ 

Conversely, since Mi ^ Af 2, there is h : {1, . . . ,n} — > {1, . . . , to} such that 
^ Let us define l : Id{Mi) — > Id{M2) by t(ai) = Then we 

have Mi{p){ai) = M^^{p) < M^'^'^'^p) = M^^'''\p) = M2(p)(t(a,)). Therefore, 
Mi{p){a) < M2{p){i{a)) for ah a G Id{Mi) and the thesis follows. 

Finally, we can conclude that the order is, indeed, a wqo. 

Proposition 3. is a wqo. 

Proof. Let Mo, Mi, M2, ... be an infinite sequence of markings. Let us con- 
sider the sequence Mo,Mi,M2, Since is a wqo, there are two indices 

i < j such that Mi ^ Mj . By Lemma [1] we have that Mi Mj , from which 
the thesis follows. 
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5.3. Strict monotonicity 

Now let us see the next condition for strict well-structuredness, namely strict 
monotonicity of the firing relation with respect to As a first step, let us see 
it for 

Lemma 2. The firing relation of v-PN is strictly monotonic with respect to C. 

Proof. Let us suppose that Mi M2 and Mi \Z M[. From the former, we 
know in the first place that a{F{p,t)) G Mi(p) for all p because that firing is 
enabled, and M2(p) = Mi{p) - {cr(F(p, t))} + {a{F{t,p))} by definition of firing. 
The latter implies Mi(p) C M{{p). Then, for all p, a{F{p,t)) e Mi{p) C M{{p) 
and, therefore, the transition is enabled in M[. So that t can be fired to obtain 
Mf^ip) = M'lip) - {a{F{p,t))) + {cF{F{t,p))}. Since Mi{p) C M{(p) we have 
that M2{p) = Mi{p) - {a{F{p,t))} + {a{F{t,p))} C M[{p) - {a{F{p,t))} + 
{a[F{t,p))} ~ M2{p) and the thesis follows. 

Proposition 4. The firing relation of u-PN is strictly monotonic with respect 

to Qa- 

Proof, ft is a direct consequence of the previous lemma and Prop.lD 

5.4-. Effective Pred-basis 

Let us now move to the last condition we must check, effective Preii-basis. 
Let us denote by t M and M the upward closure of M with respect C and 
Cq., respectively. 

Definition 8. Given a transition t of N and a a mode for t, we define Predt 
and Pret[a) ^ the functions mapping markings to sets of markings, defined by 

Predt{M) ^ {M' \ 3a M'%hl} and Predt^„){M) ^ {M' \ M'%\l}, and 
extend them pointwise to sets of markings. 

With these notations we need to compute min{Predt{'ta M)) for each mark- 
ing M and t € T. By Prop.[2]it is enough to compute min{Predt{'f M)). Notice 
that the minor set of Predt (t ^1) is still considered with respect to , so that 
it is finite. 

When computing the predecessors oi^ M , it may be the case that M itself 
has no predecessors, but some other markings in f M do. In the next definition 
we identify the least marking \d.\ M with predecessors. We will use the following 
notation: Given two markings Mi and M2 we will denote by Mi U M2 the 
marking given by (Mi U M2){p) = Mi{p) U M2(p). 

Definition 9. Let i be a transition of A^, cr a mode of t and M a marking of 
N. We define mint[a){M) = M U cr(F(t, -)), where a{F{t, -)) is the marking 
of N defined by (j{F{t, -)){p) = a{F{t,p)). 

Indeed, mint(^^-^ (M) is a marking in t M with some predecessors. Moreover, 
is the least such marking, as proved next. 
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mm(Pred((^)(t M)) 



M 

Figure 4: Computation of Precit(jr)(t M) 

Lemma 3. Let M be a marking of N, t a transition of N and a a mode of t. 
Then min^^^{M) is the least M' such that M C M' and Pret{a){M') ^ 0. 

Proof. Let us write M — mini(^„-^(M) . Trivially, M \- M. Let us see that 
PrGt(a){M) ^ 0. For that purpose, let Mq be the marking defined by Mo{p) = 

(M Ua{F{t, -))){p)-{a{F{t,p))} + {a{F{p, t))} and let us see that Mq^M. In 
the first place, t{a) is enabled in Mq, since a{F{p,t)) G Mo{p) for each place p. 
Then the transition can be fired in mode a and Mo{p)—a{F{p, t)) + a{F{t,p)) = 

M{p). Finally, if Mi'^ M2 and M □ M2 let us see that M Q M2. Since M C 
M2 it holds that M{p) C M2(p), for ah p. Then M{p) = M{p) U a{F{t,p)) C 
M2(p) U a{F{t,p)) C M2(p), and the thesis follows. 

Finally, let us see that we can use mini(^^-^{M) to compute min{Predt{'f M)). 

Proposition 5. Predt(„){t M) = t Predt(„^{mint(„){M)) 

Proof. Let M such that Prec;((^) (t M) = t . Since mini(^„){M) e t 
Predii^„)(minti^„^{M)) G t so that Af C Predt(a){mint(a){M)). Let us see 
that also Predt[a){mint(^„^{M)) C A/ holds. Indeed, Af £ Predfjg.) (t A^), so 

there is M' € ^ M such that M*'^ M' . By the previous lemma, since M' has 
predecessores, mint(^-){M) C A/', which entails by the previous lemma that 
the same relation also holds for their predecessors (because the effect of t{a) is 
constant), and hence the thesis. 

Fig. Ulcan give you some insight about the proof of the previous result. A 
marking M induces an upwards closed set, the cone in the right handside of 
Fig. m We want to compute (a finite representation of) the set of the predeces- 
sors of the markings in that cone. For that purpose, we first obtain minima) {M), 
which is known to have a predecessor, according to Prop.[3l that is trivially com- 
putable. Therefore, every marking in the left handside cone can reach in one 
step the cone in the right. 

Let us now see that in order to compute min{Predt{'\ M)) it is enough to 
consider a finite ammount of modes. 
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Proposition 6. Let M he a marking, t a transition and O a set of identifiers 
with \0\ = I Var[t)\. If M' e Predt(t M) then there is a : Var(t) ld{M) U O 
and M" M' such that M" e Predt(<^)(t M). 

Proof. Let a' such that A/'^'^'m with M C M. Because of the latter, 
Id{M) = Id{M)\JO' for some set of identifiers O' . Let us write (j'{x) = when- 
ever a'{x) G O' . For each such x S Var{t), choose a different Ox E O (notice that 
this can be done because \0\ = | Var{t)\). Let us define a : Var{t) — t- Id{M)LiO 
as follows: a{x) = <t'{x) if <t'{x) € Id{M), and a{x) = if (t'{x) G O' . Let also 
i : Id{M') -> {Id(M) \ O') U O defined by i(o^) = Ox and t(a) = a elsewhere. 

Finally, let us take M" = l{M') and m' such that A/"*^"*!?'. It holds that 
at' e t and the thesis follows. 

Therefore, in order to compute Predtit M) we can fix a set of names O 
with as many names as variables in Var{t), and consider only modes mapping 
variables to names in Id{M) or in O. Notice that there are finitely many such 
modes. 

Proposition 7. For each M, the set min{Predt{t M)) is computable. 
Proof. We can compute miniPredtit M)) as follows: 
min{Predt{t A/)) ^ min{[JPredt(a)i'\ M)) = min{yjmin{Predt{„){^^ M))^ 

a a 

By Prop. [5] the last term can be computed as min(^[jPredticr){i^in't{a){M))) . 

a 

Each Predt{cr)i'm'int(^cr){M))) is computable, and because by Prop.|6]it is enough 
to consider finitely many modes, we conclude. 

We have proved that i^-PNs are strictly well structured transitions systems. 

Proposition 8. Coverability, boundedness and termination are decidable for 
v-PN. 

One can think that we have proved decidability of a weak version of the 
coverability problem, that in which we allow arbitrary renaming of identifiers. 
For instance, if we consider the net in the left of Fig. and we ask whether 
the marking M given by M{po) = M{pi) = 0, M(p3) = {h} and M{pi) = {a} 
can be covered, the result would be affirmative, since the marking obtained by 
exchanging a and & in Af (which is a-equivalent to M) is reachable in one step. 

However, we can use this apparently weak version to decide a more re- 
stricted version of coverability: Let A/q and Mf be two markings of a v-P^ 
N = {P,T,F). We want to decide if we can cover Mf from Mq without allow- 
ing renaming of names. Thus, if a name a appears both in Mq and in Mf we 
want to reach a marking M such that Mf M with t satisfying i(a) — a. Since 
R = M^Mq) n Id{Mf) contains only a finite number of names, we can add new 
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Figure 5; The u-PN in the left of Fig.|2]extended to decide a restricted version of coverability 

places in order to ensure the latter. We define the i/-PN N* = {P L) R,T,F). 
For any marking M we define M*{p) = M{p) \i p ^ R and M*(r) = {r} for all 
r G R. By construction of N* , places in R are isolated, so that their tokens are 
never moved or removed. In particular, for any reachable M with Alf M it 
holds t(a) = a for every a G R. 

Let us again consider the example in Fig. [51 Following the previous con- 
struction, that can be seen in Fig.[5l we add a place for a and another one for b. 
When we execute this new net, the reasoning we followed before now fails. In 
one step we can reach M' with M'{po) = M'{pi) = 0, M'(p3) = M'{a) = {a} 
and M'{p4) = M'{h) = {b}. However, thanks to the newly added places, it 
is not true that Af ' equals the result of exchanging a and b in M* (using the 
notations of the proof of the previous result). 

We could ask ourselves whether we can consider a ligther version of the 
reachability problem in which we allow renaming of names, as we are doing 
with coverability, that allows us to obtain decidability. However, decidability of 
a-reachability implies the decidability of reachability, by using the same trick 
we have used for coverability. 

5.5. Complexity of the decision procedures 

Now we obtain hardness results for the decision problems shown to be decid- 
able in Prop. El We do it by means of a simulation of reset nets by ^-PN. The 
construction is very similar to the one we used in Sect. HI to simulate inhibitor 
nets with J/-PN. 

A reset net is a tuple N = {P,T, F, Fr), where P and T are disjoint sets of 
places and transitions, respectively, F C (Pxr)U(TxP), and i^r ^ PxT. Pairs 
in Fr are reset arcs. For a transition t G T we write *t — {p G P \ (p,t) G F} 
and "^t = {p G P \ {p,t) G Fr}, and analogously for t' . For simphcity, and 
without loss of generality, we assume that '"t fl = for every t G T. 

A marking of a reset net TV is a multiset of places of N. A transition t is 
enabled in M if M{p) > for all p G *t. In that case t can be fired, producing 
M' defined asQ 



• M' 



{p) = (M(p) - t)) + F{t,p) for all p i 



• M' 



(p) = for all p G '■t. 



*Note that we are identifying F with its characteristic funcion. 
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7" '^now 

Figure 6: Simulation of reset nets 



Proposition 9. Given a reset net N — {P,T, Fr, Mq) we can build in poly- 
nomial time a v-PN N* = {P U P, T, F*,M^) such that: 

• If M is reachable in N then there is M* reachable in N* such that for 
every p G P there is Op S Id with M*{p) — {op} and M*{p){ap) — M{p). 

• If M* is reachable in N* then there is M reachable in N and Op G Id for 
every p € P such that M*{p) = {a^} and M*{p)[ap) = M{p). 

In particular, 

• N terminates iff N* terminates, 

• Given M we can also build M* such that M can be covered in N iff M* 
can be covered in N* . 

Proof. Let N — {P,T, F, Fr) be a reset net. We consider a different variable 
Xp for each p e P. Then we define iV* (P U P, T, F*) as follows: 

• If e F then F*{p,t) = F*{p,t) = F*{p,t) = Xp (analogously for 
it,p)eF), 

• If {p, t) e Fr then F*{p, t) = Xp and F*{t,p) = v. 

• F*{x,y) = elsewhere. 

Moreover, if Mq is the initial marking of iV, we consider a different iden- 
tifier Op for each place p of N. Then, we define the initial marking of N* as 

M*{pno^o) = {op} and M*{p) = {a^, Op}, for each p e P. 

Intuitively, for each place p of N we consider a new place p in N*. The 
construction of N* is such that p contains a single token at any time. The firing 
of any transition ensures that the token being used in p coincides with that 
in p. Every time a transition resets a place p, the content of p is replaced by 
a fresh token, so that no token remaining in p can be used. In this way, our 
simulation introduces some garbage tokens, that once become garbage, always 
stay like that. Fig. [5] depicts a simple reset net and its simulation. 

Proposition 10. Goverability, houndedness and termination for v-PN are not 
primitive recursive. 
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Proof. Since coverability and termination are Ackermand-hard for reset nets [2! 
the previous construction entails Ackerman-hardness for coverability and termi- 
nation in 1/-PN. This hardness extends to boundedness by means of a very simple 
reduction: given a i/-PN N it is enough to build N' by adding to iV a place in 
which an ordinary token is put in every firing. Clearly, N terminates iff N' is 
bounded. 



6. Weaker forms of boundedness 

Let us now discuss weaker forms of boundedness. In the first place, we 
characterize boundedness (finiteness of the reachability set) in terms of the form 
of every reachable marking, as is usual in Petri nets. 

Lemma 4. Given a v-PN with an initial marking, the set of reachable markings 
is finite (up to =a) if and only if there isn >0 such that every reachable marking 
M satisfies M(p){a) < n for all p E P and a Cz Id. 

Proof. If Reach is finite we can define s — niax{\Id{M)\ \ M G Reach} and 
k = max{M{p){a) \ M e Reach, p E P, a e Id{M)}. Then, for each reachable 
M, \M{p)\ — I J2 ^Hp)i^)\ < • s and the net is bounded. Conversely, 

a(^supp(M{p)) 

if the net is unbounded then for each n there is a reachable Af„ such that 
\Mn{p)\ > n for all p, which implies the thesis. 

We will use the previous characterization in order to factorize the property of 
boundedness. Unlike ordinary P/T nets, that only have one infinite dimension, 
z/-PNs have two different sources of infinity: the number of different identifiers 
and the number of times each of those identifiers appear. Consequently, several 
different notions of boundedness arise, in one of the dimensions, in the other or 
in both. 

Definition 10. Let TV be a i/-PN. 

• We say N is width- bounded if there is n G N such that for all reachable 
M, \Id{M)\ < n. 

• We say N is depth-bounded if there is n G N such that for all reachable 
M, for all p G P and for all a G Id, M{p){a) < n. 

Indeed, width and depth-boundedness factorize boundedness. 

Proposition 11. N is bounded iff it is width-bounded and depth-bounded. 

Proof. It is enough to consider that \M{p)\ = | J2 M{p){a)\ < \Id{M)\ ■ 

aeld(M) 

max{M(j)){a) \ a G Id}. If there is n G N such that |Af(p)| < n then 
I < and since Id{M) = {a e Id \ M{p){a) > for some 

aeld(M) 

p} we have that \supp{M{p))\ < n and and for all a G supp{M{p)), M{p){a) < 
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Figure 7: Width-bounded but not depth-bounded v-PN (left) and viceversa (right) 

n. Conversely, let us assume there are n and m such that \supp{M{p))\ < 
n and M{p){a) < m. From the latter if follows that max{M{j)){a) \ a G 
supp{AI{p))} < ni. Then, by the previous observation, |M(p)| < n ■ m and the 
thesis follows. 



Thanks to the previous result we know that if a i^-PN is bounded then it is 
width-bounded and depth-bounded. However, if it is unbounded it could still 
be the case that it is width-bounded (see left of Fig. [7]) or depth-bounded (see 
right of Fig. [21), though not simultaneously width and depth-bounded. 



In [27| we prove decidability of width-boundedness for i/-PN. The proof 
relies on the results in [ill , [l^ that establish a framework for forward analysis 
for WSTS. We do not show the details here, since they are rather involved. 

Though width and depth-boundedness seem to play a dual role, the proof 
of decidability of width-boundedness can not be adapted in the case of depth- 
boundedness. Actually, depth-boundedness turns out to be undecidable, though 
this fact could be considered to be rather anti intuitive (actually, in the paper [7|] 
there is a wrong decidability proof). 

Proposition 12. Depth-boundedness is undecidable for v-PN. 

Proof. Given a i/-PN iV, let us consider the reset net N* built in Prop. M 
Notice that N is bounded iff TV* is depth-bounded. Since boundedness in reset 
nets is undecidable Isl we can conclude. 



7. Conclusions and Future Work 



In this paper we have studied the expressive power of a simple extension of 
P/T nets with a primitive that creates fresh names. We knew that the expressive 
power of P/T nets is strictly increased because, unlike for P/T nets, reachability 
is undecidable. However, Turing-completeness is not reached. We have seen 
it by proving that j/-PNs are strictly well-structured systems. In particular, 
we obtain that coverability is still decidable for them, as well as boundedness. 
Therefore, :/-PN is in the class of models whose expressive power lies somewhere 
in between P/T nets and Turing machines, like Lossy FIFO channel systems [l[ 
or reset nets Q. 

We have also defined two orthogonal notions of boundedness. Since our nets 
have names as tokens, it can be the case that a bounded number of different 
names appear in every reachable marking. In that case (independently of the 
number of times that those each of those names appears) we say the net is 
width-bounded. Dually, if every name that appears in every reachable marking 
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appears only a bounded number of times (independently of how many different 
names appear) then we say that the net is depth-bounded. Though width- 
boundedness is decidable, we have proved undecidability of depth-boundedness 
by reducing boundedness in reset nets to it. 

Many well structured transition systems have undecidable reachabihty, ex- 
cept some notable exceptions. Moreover, we know that coverability is always 
decidable for them. Thus, in order to compare the expressive power of different 
formalisms that lie in this class, reachability and coverability are not enough. 
One could consider other properties, as different notions of boundedness, though 
we have seen that boundedness properties tend to be rather tricky. A different 
option is to consider the languages generated when we label transitions with 
labels taken from a finite set. Because of the undecidability of reachability, if 
we accept words that can be recognized when reaching a given marking, then 
we generally obtain the set of recursibly enumerable languages. In [l^l the au- 
thors propose to use coverability as accepting condition instead. This yields 
a better framework to relate well structured transition systems. In 26| such 
framework is used in order to compare i/-PN with other Petri net extensions 
as Affine Well Nets or Data Nets. However, the distinction between i/-PN and 
Data Nets remains an open problem. 
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